-
Type: Task
-
Resolution: Done
-
Priority: Critical - P2
-
Affects Version/s: None
-
Component/s: Cloud Manager
-
Labels:None
On-Prem 1.4 brings some configuration changes for the Configuring Jetty for HTTPS. Details are below, but the highlights to the change are:
- Now a distinction between keystore and truststore
- The monitoring agent now validates SSL certificates by default
Details
1.) Typo here
-If the signed certifcate is PEM format, convert the certificate... +If the signed certifcate is DER format, convert the certificate...
2.) New section at start of "Procedure" heading, before "Create Java Keystore"
Create Java Truststore Generate Truststore Import the PEM certificate into a Java truststore, so that the MMS server trusts its own "mms.centralUrl" when making HTTP requests: /opt/mongodb/mms/jdk/bin/keytool -import -keystore mms-truststore.jks -file mms-ssl-unified.crt Replace /opt/mongodb/mms with the path of the installation directory for the MMS server. /opt/mongodb/mms is the default installation directory. keytool will prompt to specify a Java keystore passphrase, as well as a yes/no confirmation to import the certificate.
3.) Set Truststore and Keystore Location and Permissions
Issue the following sequence of commands to move the Java keystore and truststore files to the /etc/mongodb-mms directory and set the appropriate permissions: sudo mv mms-truststore.jks mms-keystore.jks /etc/mongodb-mms/ sudo chown mongodb-mms:root /etc/mongodb-mms/*.jks sudo chmod 600 /etc/mongodb-mms/*.jks If the MMS application server runs as a different user, change mongodb-mms in the chown command as needed.
4.) Configure MMS Application to use SSL
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStorePath=/etc/mongodb-mms/mms-truststore.jks" JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslTrustStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1" JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks" JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=f6a5a6b19603c0c04f-97dbb68c2bb1"
5.) New section after "Restart MMS Application Server"
Starting with On-Prem MMS 1.4, the monitoring agent validates the SSL certificate of the MMS server by default. This means the monitoring agent must be configured to trust the MMS server if not using a certificate signed by a trusted 3rd party. To specify a self-signed certificate of the MMS server that the monitoring agent should trust, first copy your PEM certificate to /etc/mongodb-mms/ sudo cp -a mms-ssl-unified.crt /etc/mongodb-mms/ sudo chown mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/mms-ssl-unified.crt sudo chmod 600 /etc/mongodb-mms/mms-ssl-unified.crt Then edit the following parameter in /etc/mongodb-mms/monitoring-agent.config: sslTrustedMMSServerCertificate=/etc/mongodb-mms/mms-ssl-unified.crt Restart your monitoring agent for the configuration update to take effect: sudo /etc/init.d/mongodb-mms-monitoring-agent restart
- related to
-
DOCS-3049 Port "Configure Jetty HTTPS" tutorial to Steps Format
- Closed